How Can I Find Thee? Let Me Count the Ways - Automated Bug Finding in Practice

Over the past decade, there have been a number of automatic and semi-automatic approaches used to help security professionals find bugs, including dataflow analysis, blackbox web application scanning, fuzzing, and more. Despite the fact that a number of these techniques are now widely used, there tends to be a lack of discussion and clarity around the fundamental underpinnings of the approaches and their inherent tradeoffs.

In this talk, we’ll provide an overview of a number of automated bug finding techniques, ranging from the well known, such as fuzzing, dataflow analysis, and blackbox scanning, to less common techniques that are gaining traction, such as symbolic execution, model checking, and abstract interpretation.

For each technique, we’ll give a high level introduction that provides you with an intuition for how and why the technique works. Then, we’ll discuss the strengths and weaknesses of the technique, including the types of bugs and classes of problems it’s effective at finding, and those it’s not. We’ll also describe inherent implementation tradeoffs any creator of such a tool needs to make, and link to open source tools you can play with as well as conference talks and academic papers you can review to learn more.

You’ll leave this talk with an understanding of the wide variety of automated bug finding approaches out there. You’ll know which techniques might be applicable in your own work, and you’ll have the background knowledge necessary to make more informed decisions when assessing potential open source or commercial tools.

Clint Gibler

Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies ranging from large enterprises to new startups. Clint is also a co-founder of Practical Program Analysis LLC.

Clint has spoken at a number of conferences, including BlackHat USA, AppSec EU, AppSec Cali, Virus Bulletin, and others. Clint holds a Ph.D. in Computer Science from the University of California, Davis, where his research focused on mobile security.

Daniel DeFreez

Daniel DeFreez is a co-founder of Practical Program Analysis LLC, a boutique security firm specializing in building security tools that make pen testers and security engineers more efficient. Daniel is also currently a PhD student at the University of California, Davis, where his research focuses in developing program analysis techniques to find bugs in the Linux kernel.